From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter <netfilter@vger.kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Cc: netdev@vger.kernel.org, netfilter-announce@lists.netfilter.org,
lwn@lwn.net
Subject: [ANNOUNCE] nftables 0.9.8 release
Date: Fri, 15 Jan 2021 22:59:42 +0100 [thread overview]
Message-ID: <20210115215942.GA20205@salvia> (raw)
[-- Attachment #1: Type: text/plain, Size: 2815 bytes --]
Hi!
The Netfilter project proudly presents:
nftables 0.9.8
This release contains fixes, documentation updates and new features
available up to the Linux kernel 5.11-rc1 release.
* Complete support for matching ICMP header content fields.
... icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
... icmpv6 type packet-too-big icmpv6 mtu 1280
* Add raw tcp option match support
... tcp option @42,16,4
where you can specify @kind,offset,length
* Allow to check for the presence of any tcp option
... tcp option 42 exists
* Support for reject traffic from the ingress chain:
table netdev x {
chain y {
type filter hook ingress device eth0 priority 0; policy accept;
tcp dport 22 reject with tcp reset
}
}
* Optimized bytecode generation for prefix match
# nft --debug=netlink x y ip saddr 192.168.2.0/24
ip
[ payload load 3b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0002a8c0 ]
Resulting in two instructions instead of three (bitwise is removed on
byte-boundaries).
* Support for several statements per set element. The example below
updates a set from the packet path (dynamic set), and it shows how
to ratelimit first then count packets that go through per set element.
table ip x {
set y {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain z {
type filter hook output priority filter; policy accept;
update @y { ip daddr limit rate 1/second counter }
}
}
You can also use the multi-statement support for (non-dynamic) sets.
table ip x {
set y {
type ipv4_addr
limit rate 1/second counter
elements = { 1.1.1.1, 4.4.4.4, 5.5.5.5 }
}
chain y {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
In this case, you can add new elements from the control plane:
# nft add element x y { 6.6.6.6 }
which run the specified rate limit and counter statements.
This requires a Linux kernel >= 5.11-rc1.
* editline support for nft -i (CLI), you can enable it at compile time:
./configure --with-cli=editline
You can download this new release from:
https://www.netfilter.org/projects/nftables/downloads.html#nftables-0.9.8
To build the code, libnftnl >= 1.1.9 and libmnl >= 1.0.4 are required:
* https://netfilter.org/projects/libnftnl/index.html
* https://netfilter.org/projects/libmnl/index.html
Visit our wikipage for user documentation at:
* https://wiki.nftables.org
For the manpage reference, check man(8) nft.
In case of bugs and feature request, file them via:
* https://bugzilla.netfilter.org
Happy firewalling.
[-- Attachment #2: changes-nftables-0.9.8.txt --]
[-- Type: text/plain, Size: 3183 bytes --]
Florian Westphal (23):
tests: json: add missing test case output
tests: avoid warning and add missing json test cases
json: add missing nat_type flag and netmap nat flag
json: fix ip6 dnat test case after range to prefix transformation change
parser: merge sack-perm/sack-permitted and maxseg/mss
tcpopts: clean up parser -> tcpopt.c plumbing
tcpopt: rename noop to nop
tcpopt: split tcpopt_hdr_fields into per-option enum
tcpopt: allow to check for presence of any tcp option
tcp: add raw tcp option match support
json: tcp: add raw tcp option match support
exthdr: remove unused proto_key member from struct
proto: reduce size of proto_desc structure
src: add auto-dependencies for ipv4 icmp
tests: fix exepcted payload of icmp expressions
src: add auto-dependencies for ipv6 icmp6
tests: fix exepcted payload of icmpv6 expressions
payload: auto-remove simple icmp/icmpv6 dependency expressions
tests: icmp, icmpv6: avoid remaining warnings
tests: ip: add one test case to cover both id and sequence
tests: icmp, icmpv6: check we don't add second dependency
nft: trace: print packet unconditionally
json: don't leave dangling pointers on hlist
Jeremy Sowden (3):
doc: correct chain name in example of adding a rule
tests: py: remove duplicate payloads.
tests: py: update format of registers in bitwise payloads.
Jose M. Guisado Gomez (5):
evaluate: add netdev support for reject default
tests: py: add netdev folder and reject.t icmp cases
src: enable json echo output when reading native syntax
monitor: add assignment check for json_echo
monitor: fix formatting of if statements
Pablo Neira Ayuso (19):
tests: shell: exercise validation with nft -c
parser_bison: allow to restore limit from dynamic set
mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZE
src: report EPERM for non-root users
parser_bison: double close_scope() call for implicit chains
tests: shell: timeouts later than 23 days
build: search for python3
src: add support for multi-statement in dynamic sets and maps
src: add set element multi-statement support
src: disallow burst 0 in ratelimits
tests: shell: set element multi-statement support
src: set on flags to request multi-statement support
cli: add libedit support
cli: use plain readline() interface with libedit
main: fix typo in cli definition
include: resync nf_tables.h cache copy
segtree: honor set element expiration
evaluate: disallow ct original {s,d}ddr from maps
build: Bump version to v0.9.8
Phil Sutter (8):
tests/shell: Improve fix in sets/0036add_set_element_expiration_0
src: Support odd-sized payload matches
src: Optimize prefix matches on byte-boundaries
proto: Fix ARP header field ordering
json: echo: Speedup seqnum_to_json()
json: Fix seqnum_to_json() functionality
doc: Document 'dccp type' match
tests: py: Fix for changed concatenated ranges output
reply other threads:[~2021-01-15 22:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115215942.GA20205@salvia \
--to=pablo@netfilter.org \
--cc=lwn@lwn.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-announce@lists.netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).